Cloudflare Access not working on sub-sub-domains

Just set up Cloudflare Access and it’s working very nicely but only for one access policy.

On Cloudflare I have SSL/TLS mode to full, redirect to HTTPS enabled and HSTS on.

So, I have proxied A records for a.domain.com, a.a.domain.com, b.a.domain.com and c.a.domain.com all pointing at primary-ip.

I originally had the sub-sub domains as CNAME records pointing at a.domain.com with a wildcard but I’ve moved to explicitly defining the records, to remove any possible issues.

Now, I have Access policies for a.mydomain.com as well as the sub-sub domains.

At primary-ip I have Nginx Proxy Manager generating Let's Encrypt certs for the sub and sub-sub domains individually, enforcing SSL and redirecting the traffic to my internal devices.

To the crux of my issue. For some reason Cloudflare Access works perfectly on a.domain.com but on *.a.domain.com I don’t even get directed to the authentication page and Chrome gives me ERR_SSL_VERSION_OR_CIPHER_MISMATCH.

I’ve pinged the *.a.domain.com sub-sub-domains and they are being proxied… So I’m stumped as to what is wrong…

Hi @mearman,

This looks to me to be an SSL/TLS issue rather than an issue with Access.

Hmm, but that wouldn’t explain why I’m not getting direct to the Access authentication page on the sub-sub domains would it?

Also the certificates for a.domain.com and the *.domain.com domains are being generated exactly the same way.

Just for clarity, I’m not trying to generate a wildcard certificate. Just several sub-sub-domain certificates.

Are you using Cloudflare’s Universal SSL certificate, or a dedicated certificate? The Universal or $5 dedicated certs only cover *.domain.com, not *.sub.domain.com. So I would not expect

to work.

If you are redirecting to HTTPS, I believe the SSL error will occur before Access kicks in.

I’m generating specific sub-sub-domain certificates on the host. Not wildcard certificates.

Which is fine, and you do need the certs on your server, but that doesn’t affect the certificate on Cloudflare’s proxies which will only cover *.domain.com unless you have a dedicated certificate.

Hmm, good point.

I’ll push everything up so it’s just sub-domains rather than sub-sub-domains and test.

Ok, problem solved I think.

Cloudflare SSL/TLS set to flexible but with Always Use HTTPS redirect turned on. Though I may switch that to a page-rule for the subdomains.

Proxied A record for sub.domain.com.
Proxied CNAME records for a, b and c.domain.com that point to sub.domain.com.

Cloudfare Access records set up for a, b, c and sub.domain.com.

NGINX running at sub.domain.com with no SSL which is proxying for a, b, c and sub.domain.com.